b"Report No. D-2008-006         October 26, 2007\n\n\n\n\n          Automated Time Attendance\n  and Production System's Compliance with the\n    Defense Business Transformation System\n              Certification Criteria\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Department of\n  Defense Inspector General at http://www.dodig.mil/audit/reports or contact the\n  Secondary Reports Distribution Unit at (703) 604-8937 (DSN 664-8937) or fax\n  (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Office of the Deputy\n  Inspector General for Auditing at (703) 604-9142 (DSN 664-9142) or fax (703)\n  604-8932. Ideas and requests can also be mailed to:\n\n                       ODIG-AUD (ATTN: Audit Suggestions)\n                       Department of Defense Inspector General\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n\n\n\n\nAcronyms\n\nAT&L                  Acquisition Technology and Logistics\nATAAPS                Automated Time Attendance and Production System\nBTA                   Business Transformation Agency\nCCA                   Clinger-Cohen Act\nCIO                   Chief Information Officer\nCONOPS                Concept of Operations\nDAA                   Designated Approving Authority\nDBSMC                 Defense Business System Management Committee\nDFAS                  Defense Finance and Accounting Service\nDITSCAP               DoD Information Technology Security Certification and\n                         Accreditation Process\nESG                   Executive Steering Group\nFFMIA                 Federal Financial Management Improvement Act\nIRB CONOPS            Investment Review Board Concept of Operations\nIRWG                  Investment Review Working Group\nL&P                   Labor and Production\nNDAA                  National Defense Authorization Act\nODIG-AUD              Office of the Deputy Inspector General for Auditing\nOIG                   Office of Inspector General\nOSD                   Office of the Secretary of Defense\nT&A                   Time and Attendance\nUSD                   Under Secretary of Defense\n\x0c                              INSPECTOR GENERAL\n\n                             DEPARTMENT OF DEFENSE\n\n                              400 ARMY NAVY DRIVE\n\n                         ARLINGTON , VIRGINIA 22202-4704\n\n\n\n\n                                                                    October 26, 2007\n\n\n\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR\n                 ACQUISITION, TECHNOLOGY, AND LOGISTICS\n               DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n                 SERVICE\n\nSUBJECT: Report on the Automated Time Attendance and Production System's\n         Compliance with the Defense Business Transformation System\n         Certification Criteria (Report No. D-2008-006)\n\n\n      Weare providing this report for review and comment. We considered\nmanagement comments on a draft of this report when preparing the final report.\n         DoD Directive 7650.3 requires that all recommendations be resolved promptly.\nThe management comments for Recommendation l.a. were responsive. However, we\nrequest that the Deputy Under Secretary of Defense for Acquisition, Technology, and\nLogistics, by November 30, 2007, provide the published certification guidance and\ncriteria for defining the tier-level designations, required documentation, and significance\nof documentation because they were published after we conducted our audit work. The\nDeputy Under Secretary of Defense for Acquisition, Technology, and Logistics comments\non Recommendation l .b. were partially responsive. Therefore, we request that the\nDeputy Under Secretary of Defense for Acquisition, Technology, and Logistics provide\nadditional comments on Recommendation l .b. by November 30, 2007.\n        Ifpossible, please send management comments in electronic format (Adobe\nAcrobat file only) to Auddfs@dodig.mil. Copies of the management comments must\ncontain the actual signature of the authorizing official. We cannot accept the / Signed /\nsymbol in place of the actual signature . If you arrange to send classified comments\nelectronically, they must be sent over the SECRET Internet Protocol Router Network\n(SIPRNET).\n        We appreciate the courtesies extended to the staff. Questions should be directed\nto Ms. Patricia C. Remington at (703) 428-1054 (DSN 328-1054) or Ms. Carolyn J. Davis\nat (703) 428-0470 (DSN 328-0470) . See Appendix B for the report distribution. The\nteam members are listed inside the back cover.\n                                By direction of the Deputy Inspector General for Auditing:\n\n\n                                          l~a-f!J~\n                                          'lor Paul J. Granetto, CPA\n                                    Assistant Inspector General and Director\n                                      Defense Financial Auditing Service\n\x0c\x0c                     Department of Defense Office of Inspector General\n                                                                                          October 26, 2007\nReport No. D-2008-006\n      (Project No. D2006-D000FG-0203.000)\n\n            Automated Time Attendance and Production System's\n         Compliance with the Defense Business Transformation System\n                            Certification Criteria\n\n                                          Executive Summary\n\nWho Should Read This Report and Why? DoD personnel who prepare, review,\ncertify, and approve Defense business system investments will find this report of interest.\nIt describes the Defense Finance and Accounting Service (DFAS) policies and\nprocedures used to approve the Defense business modernizations. Specifically, this\nreport discusses the procedures used to approve the FY 2006 modernization efforts for\nthe Automated Time Attendance and Production System (ATAAPS).\nBackground. The Deputy Under Secretary of Defense (Business Transformation)\nrequested that we review DoD Component compliance with the Defense Business\nTransformation System Certification Criteria. This report is one in a series and discusses\nthe compliance of the ATAAPS with the Defense Business Transformation System\nCertification Criteria. Additional reports will discuss other business systems compliance.\nThe \xe2\x80\x9cRonald W. Reagan National Defense Authorization Act for Fiscal Year 2005\xe2\x80\x9d\n(NDAA) states that funds appropriated for Defense business system modernizations in\nexcess of $1 million may not be obligated unless certified by the Designated Approving\nAuthority and approved by the Defense Business Systems Management Committee\n(DBSMC). To comply with the NDAA, the DBSMC issued the Investment Review\nBoard Concept of Operations (IRB CONOPS). The IRB CONOPS provides guidance on\ncertifying Defense business system investments in excess of $1 million, which require an\nOffice of the Secretary of Defense-level review and approval. Defense business system\ninvestments under $1 million do not require an Office of the Secretary of Defense-level\nreview and approval, unless designated as a special interest program. \xe2\x88\x97 Investments under\n$1 million are subjected to the Component-level review and approval process. The\nComponent-level investment review processes should be consistent with the NDAA and\nthe IRB CONOPS.\nATAAPS is a DFAS automated system. The system offers the ability to review the status\nof an individual employee\xe2\x80\x99s time and attendance file for current, future, and prior pay\nperiods.\nResults. The Under Secretary of Defense for Acquisition, Technology, and Logistics\nand DFAS did not implement sufficient controls to ensure that modernization decisions\nwere based on adequate documentation. As a result, the scope and total cost of the\napproved effort were not accurately presented nor adequately and sufficiently supported\n\n\xe2\x88\x97\n    Special interest is based on technological complexity, Congressional interest, or program criticality to the\n    achievement of a capability or set of capabilities. Special interest is also based on whether the program is\n    a joint program or whether the resources committed to the program are substantial.\n\x0cto show compliance with Federal laws and regulations. (See the Finding section of the\nreport for detailed recommendations.)\nManagement Comments and Audit Response. The Deputy Under Secretary of\nDefense for Acquisition, Technology, and Logistics nonconcurred with the\nrecommendations. At the time we concluded our audit work, Office of the Deputy Under\nSecretary of Defense for Acquisition, Technology, and Logistics personnel were unable\nto provide evidence that they revised and published the certification guidance and criteria\nfor defining tier-level designations, required documentation, and significance of\ndocumentation for the modernization packages. Therefore, we request that the Deputy\nUnder Secretary of Defense for Acquisition, Technology, and Logistics provide the\npublished certification guidance and criteria for defining the tier-level designations,\nrequired documentation, and significance of documentation for the modernization\npackages because they were published after we conducted our audit work.\n\nAdditionally, the Deputy Under Secretary of Defense for Acquisition, Technology, and\nLogistics actions in response to the revised criteria for the modernization packages took\nplace after we conducted audit field work at DFAS Pensacola, Florida, and DFAS\nHeadquarters, Arlington, Virginia. Office of the Deputy Under Secretary of Defense for\nAcquisition, Technology, and Logistics personnel were unable to provide evidence that\nthey approved or rejected certification packages based on compliance with laws and\nregulations, such as the Federal Financial Management Improvement Act and the Clinger\nCohen Act. Therefore, we request that the Deputy Under Secretary of Defense for\nAcquisition, Technology, and Logistics provide further comments explaining the specific\ncriteria used to approve and reject modernization packages.\n\nThe Director, Defense Finance and Accounting Service concurred with the\nrecommendation to improve the FY 2007 investment review process by updating process\ndocuments and providing detailed instructions and procedures for completing workbooks.\nFor FY 2007, DFAS requires that all modernization efforts, regardless of dollar amount,\nhave the same documentation and level of review. (See the Finding section of the report\nfor the detailed recommendations.)\n\nManagement Actions. Although DFAS nonconcurred with our conclusion, we commend\nthem for taking positive action to correct the problem associated with the 4th Quarter\nFY 05 Investment Review Board Guidance.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                                                         i\n\nBackground                                                                1\n\nObjective                                                                 3\n\nReview of Internal Controls                                               4\n\nFinding\n     Investment Review Process for Business Systems Investments           5\n\nAppendixes\n     A. Scope and Methodology                                            10\n     B. Report Distribution                                              12\n\nManagement Comments\n     Office of Under Secretary of Defense, Acquisition, Technology and   15\n       Logistics\n\n     Defense Finance and Accounting Service                              20\n\x0c\x0cBackground\n    The Deputy Under Secretary of Defense (Business Transformation) requested that\n    we review DoD Component compliance with the Defense Business\n    Transformation System Certification Criteria. This report is one in a series and\n    discusses the compliance of the Automated Time Attendance and Production\n    System (ATAAPS) with the Defense Business Transformation System\n    Certification Criteria.\n\n    National Defense Authorization Act. On October 28, 2004, Congress passed\n    Public Law 108-375, \xe2\x80\x9cRonald W. Reagan National Defense Authorization Act for\n    Fiscal Year 2005\xe2\x80\x9d (NDAA). Section 2222 of the NDAA states that funds\n    appropriated for Defense business modernizations in excess of $1 million may not\n    be obligated unless the Designated Approving Authority (DAA) certifies the\n    modernization to the Defense Business Systems Management Committee\n    (DBSMC), and the DBSMC approves the certification. The NDAA defines\n    business system modernizations as, \xe2\x80\x9cthe acquisition or development of a new\n    defense business system or any significant modification or enhancement of an\n    existing system.\xe2\x80\x9d In addition, the NDAA required the Secretary of Defense to\n    delegate the review, approval, and oversight of the Defense business systems to\n    the following four Offices of the Secretary of Defense (OSD)-level approval\n    authorities:\n\n           \xe2\x80\xa2   Under Secretary of Defense for Acquisition, Technology, and\n               Logistics (USD [AT&L]);\n\n           \xe2\x80\xa2   Under Secretary of Defense (Comptroller);\n\n           \xe2\x80\xa2   Under Secretary of Defense for Personnel and Readiness; and\n\n           \xe2\x80\xa2   Assistant Secretary of Defense for Networks and Information\n               Integration and Chief Information Officer of the Department of\n               Defense.\n\n    Each approving authority is required to establish an investment review process\n    that periodically (at least annually) reviews all business system investments. In\n    addition, the process should include an Investment Review Board (IRB) review\n    and approval for each Defense business system.\n\n    Section 186 of the NDAA directed the Secretary of Defense to establish the\n    DBSMC. The DBSMC is responsible for coordinating Defense business system\n    modernization initiatives to maximize benefits and minimize costs, and ensure\n    that funds are obligated for Defense business systems in a manner consistent with\n    section 2222 of the NDAA.\n\n    Investment Review Board Concept of Operations. On June 2, 2005, the\n    DBSMC issued the Investment Review Board Concept of Operations (CONOPS).\n    The CONOPS integrates policies, specifies responsibilities, and establishes\n    processes to comply with section 2222 of the NDAA. It outlines the investment\n    review process that all IRB members, Components, chief information officers\n\n\n\n                                         1\n\x0c           (CIOs), and program managers should follow if they have responsibility for\n           business system investments.\n\n           The CONOPS introduces a structured investment review and certification process\n           that includes determining review and certification requirements, Component\n           review, and OSD-level review and certification. The CONOPS identifies three\n           levels of certification review or tiers. Tier certification processes are established\n           based on the program scope, cost, and complexity. The tier process also provides\n           flexibility if the program has been designated as a special interest program. 1 The\n           CONOPS defines the following tier certification processes.\n\n           \xe2\x80\xa2    Tier 1: certification processes that apply to Major Automated Information\n                Systems or programs.\n\n           \xe2\x80\xa2    Tier 2: certification processes that apply to modernizations and investments\n                valued at $10 million to less than the Major Automated Information System\n                threshold, 2 or those designated as special interest.\n\n           \xe2\x80\xa2    Tier 3: certification processes that apply to those modernizations and\n                investments greater than $1 million to less than $10 million.\n\n           The CONOPS provides guidance on preparing, reviewing, and certifying Defense\n           business system investments in excess of $1 million, which require an OSD-level\n           review. Defense business system investments under $1 million do not require an\n           OSD-level review and approval, unless designated as a special interest program.\n           Instead, investments under $1 million require a Component-level review and\n           approval process. 3 The CONOPS requires Components to establish their own\n           governance structures for investment review to support their transformation\n           initiatives. The Component investment review processes should be consistent\n           with the NDAA and the CONOPS. Other than Component-developed procedures,\n           there are no criteria for reviewing and approving investments under $1 million.\n\n           Business System investments under $1 million are categorized as Tier 4\n           investments. However, the definition of Tier 4 is not described in the IRB\n           CONOPS. The Business Transformation Agency (BTA) 4 established this term in\n           a manual titled, \xe2\x80\x9cInvestment Certification and Annual Review Process User\n           Guidance,\xe2\x80\x9d dated April 10, 2006. The BTA established the User Guidance after\n           the ATAAPS modernization investment was certified. Therefore, this guidance is\n           not part of the criteria used to evaluate the ATAAPS modernization and\n           accreditation process.\n\n           Defense Finance and Accounting Service Investment Review Process. The\n           Defense Finance and Accounting Service (DFAS) developed a Component-level\n           review and approval process. For FY 2006 modernization investments under\n           $1 million, DFAS developed and used workbooks. The workbooks were modeled\n\n1\n    Special interest is based on technological complexity, Congressional interest, or program criticality to the\n    achievement of a capability or set of capabilities. Special interest is also based on whether the program is\n    a joint program or whether the resources committed to the program are substantial.\n2\n    The current Major Automated Information System threshold is $32 million.\n3\n    The process is referred to as a Tier 4 process.\n4\n    The BTA serves the interest of the entire Business Mission Area of the DoD and reports to the Under\n    Secretary of Defense for Acquisition, Technology, and Logistics.\n\n\n                                                        2\n\x0cafter the standard set of IRB criteria outlined in the CONOPS. The workbooks\ncontained system-specific questions. System managers were required to certify if\ntheir automated systems were aligned with applicable policies, laws, and\nregulations. Specifically, system managers were required to indicate if their\nsystem was compliant with the Clinger-Cohen Act (CCA), DoD Information\nTechnology Security Certification and Accreditation Process (DITSCAP), and the\nFederal Financial Management Improvement Act (FFMIA).\n\nClinger-Cohen Act. The CCA of 1996 establishes a top-down restructuring of\nFederal information technology acquisition programs. The goal of the CCA is to\nimprove the acquisition and management of Federal information technology\nprograms. The CCA requires the establishment of an efficient and effective\ninformation technology program for the Federal Government.\n\nDoD Information Technology Security Certification and Accreditation\nProcess. The DITSCAP establishes a standard Department-wide process, set of\nactivities, general tasks, and a management structure to certify and accredit\ninformation systems and maintain the information assurance and security posture\nof the Defense information infrastructure throughout the life cycle of each system.\nThe accreditation process is a formal declaration by the DAA that an information\nsystem is approved to operate in a particular security mode using a prescribed set\nof safeguards at an acceptable level of risk.\n\nFederal Financial Management Improvement Act of 1996. The FFMIA was\nenacted in 1996 to ensure consistent accounting by an agency from one fiscal year\nto the next. The FFMIA also requires uniform accounting standards throughout\nthe Federal Government. Federal financial data, including the full costs of\nFederal programs and activities, are required so that programs and activities can\nbe considered based on their full costs and merits.\n\nAutomated Time Attendance and Production System. For FY 2005, the\nATAAPS system manager completed a workbook for a $5.9 million\nmodernization of the ATAAPS. The ATAAPS captures time and attendance\n(T&A) and labor and production (L&P) data and feeds it into the Defense\nCivilian Pay System and accounting systems on a daily basis. It provides the user\na single, consolidated input method for reporting both T&A and L&P\ninformation. The system is configured to support core financial requirements for\nDFAS, as well to provide civilian T&A services for its customers located at DoD\nand non-DoD activities worldwide.\n\nATAAPS is modularly designed, and system functions are separated into\nindividual modules that may be accessed by menu selections from the\nATAAPS module select screen. The system provides for internal control\nof access modules through the use of security authorizations assigned to\nemployee records. The system also offers the ability to review the status of\nan employee\xe2\x80\x99s T&A file for current, future, and prior pay periods.\n\nATAAPS produces an electronic time and attendance report and can\ngenerate individual and summary inquiries for various users.\n\n\n\n\n                                     3\n\x0cObjective\n     Our overall audit objective was to determine whether ATAAPS was properly\n     certified and accredited in accordance with the Defense Business Transformation\n     Certification Criteria. Specifically, we determined if ATAAPS complied with the\n     Investment Review Process. Although an announced objective, we did not\n     review the management control program as it related to the overall objective\n     because a management control program was not developed for the Investment\n     Review Process. See Appendix A for a discussion of the scope and methodology.\n\n\nReview of Internal Controls\n     The USD (AT&L) and DFAS did not implement sufficient controls to ensure that\n     the modernization decision for ATAAPS was based on adequate documentation.\n     As a result, the DFAS Executive Steering Group approved the modernization for\n     $991,000 based on unsupported information. Without adequate standard\n     procedures and controls for modernization investments, the DFAS Executive\n     Steering Group may continue to approve procurements that are not adequately\n     supported and reviewed. See the Finding section of the report for a complete\n     discussion of our review.\n\n\n\n\n                                        4\n\x0c           Investment Review Process for Business\n           Systems Investments\n           The USD (AT&L) and DFAS did not implement sufficient controls for\n           preparing, supporting, and pre-certifying modernization packages. The\n           USD (AT&L) and DFAS did not have sufficient controls in place to\n           ensure that information in modernization packages was validated,\n           complied with Federal and DoD guidance, and was supported by adequate\n           documentation. This occurred because the USD (AT&L) investment\n           review process guidance was inadequate for DFAS to prepare, validate,\n           review, and submit its modernization packages. This guidance was\n           continuously being modified, which created uncertainty as to what was\n           required to be submitted and reviewed. Specifically, the guidance did not\n           clearly identify and define:\n\n              \xe2\x80\xa2   tier-level designations,\n\n              \xe2\x80\xa2   required documentation, and\n\n              \xe2\x80\xa2   significance of documentation\n\n           As a result, the scope and total cost of the approved effort were not\n           accurately presented, and compliance with Federal laws and regulations\n           was not substantiated.\n\n\nDFAS Investment Review Process\n    On September 2, 2005, DFAS established its own investment review process and\n    governance structure to support Component transformation initiatives and to\n    comply with the CONOPS. DFAS designated the CIO as the headquarters-level\n    authority accountable for business system investments. The CIO acts as the Pre-\n    Certification Authority for business system modernizations or enhancements\n    under and over $1 million. The CIO pre-certifies and submits the investment\n    proposals to the IRB.\n\n    DFAS Executive Steering Group. The Executive Steering Group (ESG) is the\n    agency\xe2\x80\x99s primary, executive-level, decision-making body that reports to the\n    Director of DFAS. Among many other responsibilities, the ESG oversees the\n    DFAS portfolio management initiatives. In doing so, the ESG serves as the\n    Component-level IRB for DFAS. It reviews and approves investment proposals\n    based on decision criteria, such as the CONOPS and internal DFAS policies and\n    procedures.\n\n    DFAS Investment Review Working Group. The ESG established the DFAS\n    Information Technology Investment Review Working Group (IRWG) to conduct\n    due diligence reviews and provide input on information technology portfolio and\n    investment issues to the ESG. It is chaired by the Deputy CIO and is composed\n    of representatives from each DFAS directorate or business line. The IRWG\n    coordinates and resolves investment issues that arise during the Portfolio\n\n\n                                        5\n\x0c    Management Processes. This process is part of the DFAS governance process for\n    information technology investment management and review. The IRWG also\n    recommend approval of investment proposals to the ESG.\n\n    DFAS IRB Process for Investments over $1 Million. The IRWG assists in\n    overseeing the Investment Review Process. Prior to obligating funds for\n    modernizations and enhancements over $1 million, DFAS required that system\n    managers complete an IRB workbook providing system information. System\n    managers were required to complete the workbook by answering system-related\n    questions and providing supplemental documents, such as architecture diagrams.\n    The workbook and supplemental materials were reviewed by the IRWG. If the\n    investment proposals were satisfactory, the IRWG recommended certification to\n    the CIO. The CIO would then pre-certify and recommend approval and\n    certification of the investment proposal to the IRB and the DBSMC.\n\n\nTier Designation and Funding Validation\n    DFAS certified ATAAPS using the certification process for a Tier 4 system\n    modernization, when, in fact, ATAAPS is a Tier 3 system modernization. When\n    DFAS submitted the ATAAPS certification package for review and certification\n    to the DoD IRB, DFAS requested funding approval of $991,000 for the\n    modernization investment. However, this amount represented the investment for\n    FY 2006 only and did not include the total funding of $5.9 million as represented\n    in the Economic Viability Review.\n\n    The DoD IRB determined that the modernization investment was under the\n    $1 million threshold, based on the information provided by DFAS. Consequently,\n    the DoD IRB returned the modernization package to DFAS for review and\n    certification by the ESG. Therefore, the ATAAPS modernization package was\n    not certified by the designated DoD IRB or approved by the DBSMC.\n\n\nFY 2006 Automated Time Attendance and Production System\n  Workbook\n    The USD (AT&L) and DFAS did not implement sufficient controls to ensure that\n    the modernization decision for ATAAPS was based on adequate documentation.\n    In addition, USD (AT&L) and DFAS guidance did not emphasize the significance\n    of appropriate supporting documentation to show CCA and FFMIA compliance.\n    Although the ATAAPS workbook did not show supporting documentation for\n    CCA and FFMIA compliance, the ATAAPS system manager did provide\n    supporting documentation for DISTCAP compliance.\n\n    We reviewed the ATAAPS modernization package prepared by the ATAAPS\n    system manager and submitted to DFAS for validation and approval. The\n    modernization package included questions that dealt with ATAAPS compliancy\n    with the CCA and the FFMIA.\n\n    The IRB CONOPS guidance issued by USD (AT&L) was effective on June 2,\n    2005. This guidance did not require the system manager to provide supporting\n\n\n                                        6\n\x0cdocumentation to validate the responses in the workbook. Without clear\nguidance, the system owners were not aware of the need to provide\ndocumentation to support CCA and FFMIA compliance.\n\nClinger-Cohen Act. The IRB workbook stated that ATAAPS was compliant\nwith CCA. However, we could not sufficiently validate whether ATAAPS was\ncompliant with CCA because of the lack of supporting documentation. For\nexample, the program manager should have documentation to show the rationale\nand justification for the investment selection, details on how the investment was\nmanaged, and an evaluation of the results of investment. This documentation did\nnot exist because the program mangers did not receive guidance on what\ndocumentation was required and should be maintained to support each IRB\nworkbook response. Although DFAS is working to refine the CCA compliance\nand validation process, ATAAPS compliance with CCA for FY 2006 was not\nsufficiently validated and remains unsupported.\n\nThe CCA establishes a management framework for translating mission needs and\ntechnology opportunities, based on approved mission needs and requirements,\ninto well-managed acquisition programs, such as automated information systems.\nAccording to the CCA of 1996, the executive agency is responsible for designing\nand implementing a process for maximizing the value and assessing and\nmanaging the risks of the information technology acquisitions of the agency.\nSpecifically, the process should provide for the:\n\n    \xe2\x80\xa2   selection of information technology investments,\n\n    \xe2\x80\xa2   management of such investments,\n\n    \xe2\x80\xa2   evaluation of the results of such investments, and\n\n    \xe2\x80\xa2   minimum criteria for considering undertaking a particular investment.\n\nFederal Financial Management Improvement Act of 1996. In the IRB\nworkbook, the system manager answered that ATAAPS was FFMIA compliant.\nHowever, we could not sufficiently validate whether ATAAPS was compliant\nwith FFMIA because the system manager did not provide documentation to\nsupport the compliance with FFMIA. DFAS investment review guidance does\nnot require system managers to maintain documents used to support the responses\nin the modernization submission package.\n\nThe FFMIA requires that agencies provide reliable, timely financial information;\nprotect resources from loss, misappropriation, or destruction; and comply with\nFederal financial accounting standards. Additionally, the FFMIA requires each\nagency to implement and maintain financial systems that comply with Federal\nfinancial management system requirements, applicable Federal accounting\nstandards, and the United States General Ledger at the transaction level. The\nFFMIA requires agencies to report whether their financial management systems\ncomply with the requirements of the Act.\n\nThe ATAAPS system manager needed to maintain documentation that supported\nresponses to the IRB workbook questions. The system manager also needed to\nensure that the supporting documentation was current and provided the best\nassurance that responses were valid. Supporting documentation should be\nretained and maintained so they can be used to verify the responses in the\n\n                                     7\n\x0c    modernization submission package and compliance with Federal laws and\n    regulations.\n\n    DoD Information Technology Security Certification and Accreditation\n    Process. In addition to the CCA and FFMIA, we reviewed the IRB workbook to\n    determine whether it contained supporting documentation to show compliance\n    with DITSCAP.\n\n    DISTCAP requires recertification every 3 years or whenever changes occur to the\n    mission, software, hardware configuration, or operating environment that are\n    significant and affect the original security posture accepted by the DAA. In\n    addition, DoD 8510.1-M, \xe2\x80\x9cDISTCAP Application Manual,\xe2\x80\x9d states that post\n    accreditation activities will include ongoing maintenance of the System Security\n    Authorization Agreement, system operations, security operations, configuration\n    management, and compliance validation. The DISTCAP Application Manual\n    also states that site operations staff and the Information Systems Security Officer\n    are responsible for maintaining an acceptable level of residual risk. This is\n    achieved by addressing security considerations when changes are made to either\n    the information system baseline or the baseline of the computing environment.\n\n    The ATAAPS system manager was able to provide a signed and updated copy of\n    the System Security Authorization Agreement to support the IRB response in the\n    workbook. As a result, the DITSCAP assertion of compliance was adequately\n    supported.\n\n\nConclusion\n    DFAS did not ensure that the ATAAPS modernization package was properly\n    prepared, supported, and approved by the appropriate IRB approval authority.\n    Because USD (AT&L) did not provide clear guidance on tier-level designations,\n    the total cost and scope of the approved effort were not accurately presented and\n    supported. Additionally, because the DBSMC and DFAS did not specify the\n    required IRB workbook documentation, the ATAAPS modernization package was\n    approved without supporting documentation.\n\n\nRecommendations, Management Comments, and Audit\nResponse\n    1.  We recommend that the Deputy Under Secretary of Defense for\n    Acquisition, Technology, and Logistics:\n\n            a. Revise and clarify the Defense Business Transformation System\n    Certification Criteria and the Investment Review Process. Specifically, the\n    criteria need to address:\n\n                   (1) tier-level designations,\n                   (2) required documentation, and\n\n\n\n                                         8\n\x0c                   (3) significance of documentation.\nManagement Comments. The Deputy Under Secretary of Defense for Acquisition,\nTechnology, and Logistics nonconcurred. The Deputy Under Secretary of Defense\nfor Acquisition, Technology, and Logistics stated that he revised and published the\ncertification guidance and criteria for defining tier-level designations, required\ndocumentation, and significance of documentation.\nAudit Response. Although the Deputy Under Secretary of Defense for Acquisition,\nTechnology, and Logistics nonconcurred with the recommendations, we consider the\nmanagement comments responsive. However, we request that the Deputy Under\nSecretary of Defense for Acquisition, Technology, and Logistics provide the\npublished certification guidance and criteria for defining the tier-level designations,\nrequired documentation, and significance of documentation because they were\npublished after we conducted our audit work at DFAS Pensacola, Florida, and DFAS\nHeadquarters, Arlington, Virginia.\n     b. Establish approval and rejection criteria for the modernization\npackages to include compliance with applicable laws and regulations.\nManagement Comments. The Deputy Under Secretary of Defense for Acquisition,\nTechnology, and Logistics nonconcurred with the recommendation, stating that\nprocedures were in place to support approval and rejection criteria.\nAudit Response. The Deputy Under Secretary of Defense for Acquisition,\nTechnology, Logistics comments are partially responsive. When we concluded our\naudit work, Office of the Deputy Under Secretary of Defense for Acquisition,\nTechnology, and Logistics personnel were unable to provide evidence that they\napproved or rejected modernization packages based on compliance with laws and\nregulations, such as FFMIA and the Clinger Cohen Act. We request that the Deputy\nUnder Secretary of Defense for Acquisition, Technology, and Logistics provide\ncomments in response to the final report explaining what specific criteria were used\nto approve and reject modernization packages.\n2. We recommend that the Director, Defense Finance and Accounting Service\nreview the revised Defense Business Transformation System Certification\nCriteria and Investment Review Process and develop supplemental guidance as\nnecessary to ensure compliance with Federal and DoD regulations.\nManagement Comments. The Director, Defense Finance and Accounting Service\nconcurred, stating that DFAS has improved the FY 2007 investment review process\nby updating its process documents and providing detailed instructions and procedures\nfor completing workbooks. Further, DFAS requires that all modernization efforts,\nregardless of dollar amount, have the same documentation and level of review. In\naddition, DFAS has added subject matter experts to the IRWG to ensure better\nreviews of modernization packages to comply with the Clinger-Cohen Act,\nDITSCAP, Business Enterprise Architecture, and Standard Financial Information\nStructure. Lastly, for FY 2007, the IRWG has published standard review criteria,\nincluding instructions for each topic area of the books and reporting documentation\nrequired for review.\nAudit Response. We commend DFAS for taking positive action to correct the\nproblem associated with the 4th Quarter FY05 Investment Review Board Guidance.\nNo further comments are required.\n\n\n                                         9\n\x0cAppendix A. Scope and Methodology\n   We conducted this performance audit from May 2006 through March 2007 in\n   accordance with generally accepted government auditing standards. Those\n   standards require that we plan and perform the audit to obtain sufficient,\n   appropriate evidence to provide a reasonable basis for our findings and\n   conclusions based on our audit objectives. We believe that the evidence obtained\n   provides a reasonable basis for our findings and conclusions based on our audit\n   objectives.\n\n   We performed the audit at DFAS Headquarters in Arlington, Virginia, and DFAS\n   Pensacola, Florida. We reviewed the DFAS Investment Review Process used to\n   approve the obligation of funding for FY 2006 ATAAPS modernization efforts.\n   We interviewed the ATAAPS system manager. We also obtained and reviewed\n   DFAS Investment Review Process procedures and documentation. Specifically,\n   we reviewed charters, designation letter, and the FY 2006 ATAAPS\n   modernization workbook and supplemental documentation\n\n   We reviewed and compared the procedures and documentation to the following\n   laws, policies, and DFAS guidance related to the Defense Business System\n   Investment Review Process. Specifically, we:\n\n          \xe2\x80\xa2   interviewed personnel and discussed policies and procedures at DFAS\n              Headquarters in Arlington, Virginia; DFAS Cleveland Program\n              Management Office; and the Technical Service Organization in\n              Pensacola, Florida;\n\n          \xe2\x80\xa2   reviewed and analyzed documentation submitted by DFAS Pensacola\n              to DFAS Headquarters and the Executive Steering Group; and\n\n          \xe2\x80\xa2   reviewed and compared the procedures and documentation to the\n              following laws and DFAS guidance related to the Investment Review\n              Process. Specifically, we reviewed:\n\n                 \xe2\x88\x92 Public Law 108-375, \xe2\x80\x9cRonald W. Reagan National Defense\n                   Authorization Act for Fiscal Year 2005 (NDAA),\xe2\x80\x9d\n                   October 28, 2004;\n\n                 \xe2\x88\x92 Public Law 104-208, \xe2\x80\x9cFederal Financial Management\n                   Improvement Act,\xe2\x80\x9d September 30, 1996;\n\n                 \xe2\x88\x92 Public Law 104-106, \xe2\x80\x9cClinger Cohen Act,\xe2\x80\x9d February 10, 1996;\n\n                 \xe2\x88\x92 DoD Instruction 5200.4, \xe2\x80\x9cDoD Information Technology\n                   Security Certification and Accreditation Process,\xe2\x80\x9d\n                   December 30, 1997;\n\n                 \xe2\x88\x92 DoD Manual 8510.1-M, \xe2\x80\x9cDoD Information Technology\n                   Security Certification and Accreditation Process Application\n                   Manual,\xe2\x80\x9d July 31, 2000;\n\n\n\n\n                                      10\n\x0c                  \xe2\x88\x92 \xe2\x80\x9cInvestment Review Process Overview and Concepts of\n                    Operations For Investment Review Boards,\xe2\x80\x9d May 17, 2005;\n\n                  \xe2\x88\x92 \xe2\x80\x9cBusiness Systems Investment Review Proposal Submission\n                    Guideline,\xe2\x80\x9d July 17, 2005; and\n\n                  \xe2\x88\x92 \xe2\x80\x9cDoD Information Technology Registry Merger Into the DoD\n                    Information Technology Portfolio Registry,\xe2\x80\x9d\n                    September 28, 2005.\n\n    We did not review the management control program as it related to the\n    Investment Review Process because a management control program has not been\n    established for this process.\n\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    perform this audit.\n\n    Government Accountability Office High-Risk Area. The Government\n    Accountability Office has identified several high-risk areas in DoD. This report\n    provides coverage of the DoD Business System Modernization and the DoD\n    Approach to Business Transformation high-risk areas.\n\n\nPrior Coverage\n    No prior coverage has been conducted on the Automated Time Attendance and\n    Production System during the last 5 years.\n\n\n\n\n                                        11\n\x0cAppendix B. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\n  Director, Acquisition Resources and Analysis\nAssistant Secretary of Defense (Networks and Information Integration/Administration\n  and Management)\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nCombatant Command\nCommander, U.S. Joint Forces Command\n  Inspector General, U.S. Joint Forces Command\n\nOther Defense Organizations\nDirector, Defense Business Transformation Agency\nDirector, Defense Finance and Accounting Service\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\n\n\n\n\n                                          12\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member (cont\xe2\x80\x99d)\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Oversight and Government Reform\nHouse Subcommittee on Government Management, Organization, and Procurement,\n  Committee on Oversight and Government Reform\nHouse Subcommittee on National Security and Foreign Affairs,\n  Committee on Oversight and Government Reform\n\n\n\n\n                                      13\n\x0c\x0cOffice of the Under Secretary of Defense,\nAcquisition, Technology, and Logistics\n\n\n\n\n                       15\n\x0c16\n\x0c17\n\x0c18\n\x0c19\n\x0cDefense Finance and Accounting Service\nComments\n\n\n\n\n                      20\n\x0c21\n\x0c22\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for\nAuditing, Defense Financial Auditing Service prepared this report. Personnel of\nthe Department of Defense Office of Inspector General who contributed to the\nreport are listed below.\n\nPaul J. Granetto\nPatricia A. Marsh\nPatricia C. Remington\nElaine M. Jennings\nCarolyn J. Davis\nJulio Gonzalez\nYolanda Bailey\nGregory Crawford\nAnn L. Thompson\n\x0c\x0c"